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Abstract 

Throughout history, every advance in encryption has been defeated by advances in hacking 
with severe consequences. Quantum cryptography [1] holds the promise to end this battle by 
offering unconditional security j3"4] when ideal single-photon sources and detectors are employed. 
Unfortunately, ideal devices never exist in practice and device imperfections have become the 



targets of various attacks [5j-(8|]. By developing up-conversion single-photon detectors with high 
efficiency and low noise, we build up a measurement-device-independent quantum key distribution 
(MDI-QKD) system j9j, which is immune to all hacking strategies on detection. Meanwhile, we 



employ the decoy-state method 



10-12] to defeat attacks on non-ideal source. By closing the 



loopholes in both source and detection, our practical system, which generates more than 25 kbit 
secure key over a 50-km fiber link, provides an ultimate solution for communication security. 
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The gap between ideal devices and realistic setups has been the root of various security 



loopholes 



13 



14J ]. which have become the targets of many attacks 



5-8 



remendous efforts 



16( | . However, the 



have been made towards loophole-free QKD with practical devices [15l . 
question of whether security loopholes will ever be exhausted and closed still remains. 

Here, we report a QKD experiment, that closes the loopholes in both source and detection 
and hence can achieve unconditionally secure communication. On one hand, ideal single 



photon sources are replaced wit 



10 



i weak coherent states by varying mean photon intensities 



121 ] . On the other hand, by implementing the MDI-QKD 



— the decoy-state method 
protocol [9] , all the detection side channels are removed from our system. 

In a conventional QKD system, such as prepare-and-measure protocols, the sender, Alice, 
sends quantum states encoded with key information (qubits) to the receiver, Bob, who then 
measures them, as shown in Fig UK- A malicious eavesdropper, Eve, may intercept and 
manipulate the quantum signals travelin g in the channel, and forward tampered signals to 
Bob. In a typical security proof of QKD 13| . one assumes that Eve performs manipulation 
on the Hilbert space of qubits. Since the photons have degrees of freedom other than the one 
used for key information encoding, Eve might take advantage of the side-channel information. 
For example, when an efficiency mismatch exists between detectors ]5j, Eve can steal some 
information of the key by shifting the arrival times of the quantum signals at Bob, which 
is called time-shift attack More attacks can be launched if other degrees of freedom are 
considered: for instance, the detector blinding attack {7, 8] exploits the detector's after-gate 
pulses and dead time. 

MDI-QKD protocols close all loopholes on detection at once. In fact, the detectors 

in a MDI-QKD setup can even be assumed to be in Eve's possession. As shown in Fig. [Do, 
Alice and Bob encode the key information onto their own quantum states independently and 
then send them to the detection station for a Bell-state measurement (BSM). The quantum 
signals from two arms are interfered in a beam splitter and then detected by two detectors. 
Certain post-selected coincidence events are used as the raw key. As discussed in Ref. js], 
even if Eve controls the measurement site, she cannot gain any information on the final key 
without being noticed. The security of MDI-QKD is based on the time-reversed version of 
entanglement-based QKD protocols 



18 



19], which is naturally immune to any attacks on 



detection. 

In our experimental realization, we implement the time-bin phase-encoding MDI-QKD 




FIG. 1. (a) Conventional prepare-and-measure QKD setup, where Alice sends qubits to Bob 
through an insecure quantum channel, controlled by Eve. (b) MDI-QKD setup, where Alice and 
Bob each sends quantum signals to Eve for measurement. 

scheme , as shown in Fig. |2K Alice and Bob first randomly prepare their time-bin 

qubits in one of the two bases, denoted by Z and X. If the Z-basis is used, the key bit 
is encoded in time-bin or time-bin 1 by an amplitude modulator (AM). If the X-basis is 
used, the key bit is encoded into the relative phases, or it, between the two time bins by a 
phase modulator (PM). Each party sends quantum signals to the measurement station for 
partial BSM. A successful BSM event occurs when the two qubits interfere perfectly in a 
beam splitter and the two detectors have a coincidence at alternative time bins. Then, in 
the Z-basis, a valid BSM always results in complementary bits between Alice and Bob, as 
is the case for the AT-basis when each pulse contains only one photon. The multi-photon 
component in the coherent state pulse may cause fake coincidence, which introduces 50% 
bit error rate in the X-basis. After the announcement from the measurement site, Alice and 
Bob will compare their basis choices and select out the sifted key (a.k.a, basis sift). Then 
they can perform post-processing to extract a final secure key. 

A critical aspect to this experiment is the indistinguishability of the signal pulses gener- 
ated by the two independent laser sources, mainly in three dimensions: spectrum, timing 
and polarization. Any mismatch in these dimensions would introduce errors in the AT-basis. 
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FIG. 2. (a) Diagram of our MDI-QKD setup. Alice passes her laser pulses through an unbalanced 
Mach-Zehnder (MZ) interferometer, with an arm difference of 6 meters, to generate two time-bin 
pulses. A phase modulator (PM) and three amplitude modulators (AM) are used to encode the 
qubit and generate decoy states. All the modulations are controlled by quantum random number 
generators. In order to reduce the temperature fluctuation, we put all the modulators into ther- 
mostatic containers. Bob's encoding system is the same as Alice's. The pulses are then attenuated 
by an attenuator (ATT) and sent out via fiber links from Alice and Bob to the measurement site. 
After traveling through 25 km fiber spools of each arm and polarizers (Pol.), signal pulses from two 
sides are interfered at a 50:50 fiber beam-splitter (BS) for a partial BSM. The output photon is 
detected by up-conversion detectors and recorded with a time interval analyzer, (b) Diagram of an 
up-conversion single-photon detector. PC: polarization controller, DM: dichroic mirror, BP: band 
pass filter, SP: short pass filter, (c) Phase stabilization setup. Cir: circulator, PS: phase shifter, 
PBS: polarizing beam splitter. 

Firstly, the wavelength difference between Alice's and Bob's pulses need to be small com- 
pared to the bandwidth of the laser pulse. In our system, we utilize a 1 MHz shared time 
reference from a field-programmable gate array to modulate two independent distributed 
feedback (DFB) laser diodes to produce Alice's and Bob's signal pulses. The pulse width is 
about 2 ns and its wavelength centers at 1550.200 nm with a full width at half maximum 
(FWHM) of about 10 pm. By adjusting the temperature control precisely, the laser's central 
wavelength can be set to a precision of about 0.1 pm, which is small enough to keep the error 
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rate low. Secondly, the temporal modes of Alice's and Bob's pulses should be overlapped 
precisely. We use an optical delay (OD) in Alice's station to adjust the pulse timing. The 
resolution of the OD is better than 10 ps and the time jitter of the laser pulses is also around 
10 ps, which is small compared to the pulse width of 2 ns. Thirdly, the polarization of the 
quantum signals may rotate during the channel transmission due to the fiber birefringence. 
In front of the interference beam splitter, we insert a polarization controller and a polarizer 
in each arm to make the polarization indistinguishable. 

The relative phase between the two arms of the Mach-Zehnder (MZ) interferometer may 
fluctuate with temperature and stress, which introduces further errors in the X-basis. We 
use an additional fiber between Alice and Bob as for feedback to stabilize the interferometer 
phases. By sending light from another laser light from Alice's MZ interferometer through 
Bob's MZ interferometer, we monitor the power at one of the outputs of Bob's interfer- 
ometer with a single-photon InGaAs/InP avalanche photodiode (APD). The feedback is 
implemented by using a phase shifter inside Bob's MZ interferometer, as shown in Fig. [2b. 

The performance of QKD systems is determined to a great extent by the quality of 
single-photon detectors, mainly in two aspects — efficiency and noise. In comparison to the 
conventional QKD, MDI-QKD requires two-fold coincidence detection instead of single-fold 
click. Then, the channel transmittance, and hence the key rate, has quadratic dependence on 
the detector efficiency. Thus, high-efficiency single-photon detectors are required for MDI- 
QKD. Under room temperature, an up-conversion single-photon detector can provide highest 
quantum efficiency in telecom band. However, its dark count used to be more than 100 kHz, 



which limits its application in QKD. Here, we utilize long- wave pump technology |20J to 
suppress detector dark counts by two orders of magnitude. In our setup, the signal photon is 
mixed with a strong pump at 1940 nm in a wavelength division multiplexing (WDM) coupler 
and is sent to a fibre-pigtailed periodically poled lithium niobate (PPLN) waveguide, where 
the pump and signal interact via the sum-frequency generation process, as shown in Fig. [2b. 
The PPLN waveguide is a 52-mm-long reverse-proton-exchange waveguide with a poling 
period of 19.6 /im. A Peltier cooler based temperature-control system is used to keep the 
waveguide's temperature at 30 °C to maintain the phase-matching condition. We observe 
a maximum depletion of a 1550-nm input signal of 99%, with a total internal conversion 
efficiency around 85% limited by the waveguide propagation losses. The generated 850 nm 
photons are collected by an anti-reflection (AR)-coated objective lens, and are separated 



from the pump and spurious light using a combination of a short pass filter, a dichroic 
mirror, a prism, and a spatial filter. The light is then focused onto a commercial silicon 
(Si) APD with a detection efficiency of 40% at this wavelength. Using a pump power of 200 
mW, the total-system detection efficiency is 20%, with a dark count rate of approximately 
1 kHz, which can meet the stringent requirements for MDI-QKD. 

At the measurement site, Eve announces the detection events when two detectors click in 
two different time bins. Alice and Bob post-select their key bits as the raw data according 
to Eve's announcement. To extract the final secure key out of the raw data, we follow the 
post-processing procedure presented in the Supplementary Information. When Alice and 
Bob respectively use average photon number /i and u, the key rate is given by the standard 
decoy-state formula 

R>Qu[l-H(e n )]-I ec , (1) 

where I ec is the cost of error correction, depending on the overall gain (Q^) and error rate 
(E^); H(e) = — elog 2 (e) — (1 — e) log 2 (l — e) is the binary Shannon entropy function; Qu 
(en) is the gain (phase error rate) when both sources generate single-photon states. 

In the experiment, we run our MDI-QKD system for 59.5 hours to collect raw data. 
Fig. [3k shows the original sifted key bits and error rates in the Z-basis and the X-basis 
with different average photon numbers. From Fig. [3h, one can see that the error rates in the 
Z-basis, E^ u , are less than 0.5%, when the intensities, /x and v, are not 0. With the error 
rates (of decoy and signal states) in the X-basis, we can place an upper bound on the phase 



error rate in the Z-basis, i.e. en, which is 24.6% (21|. Then, we evaluate the final secure 
key rate by Eq. (pQ), as shown in Fig. [3b, from which we can see that the main reductions of 
the key rate come from the non-single-photon components and privacy amplification. The 
privacy amplification part is largely affected by the relatively small data size. Here, we have 
not considered the key cost in authentication and efficiency of privacy amplification, which 



221. 



has been shown to be small, typically, less than 1000 bits, in a practical system 

Finally, Alice transmits a 24192-bit image to Bob via the one-time-pad protocol, using the 
secure key generated from our MDI-QKD system, shown in Fig. [H The resulting encrypted 
message looks like white noise to anyone without a copy of the key, but Bob can decode it 
by carrying out a bitwise exclusive OR operation with his copy of the key. 

We remark that the internal modulation of decoy/signal stat es g uarantees our system to 



be secure against the unambiguous-state-discrimination attack 



231 ] . All the components in 




FIG. 3. (a) Sifted key rate and error rate with different average photon numbers, 0, 0.1, 0.2, 
0.5, in both Z- and X-basis. The data are collected by running the system for 59.5 hours, (b) 
Extracting secure key from the raw data. In the data post-processing, we assume 3 standard 
deviations for the statistical fluctuation analysis of decoy-state method. Detailed analysis is shown 
in the Supplementary Information. 

the source part, as shown in Fig. [2^, are standard commercial optical devices, which have 
been properly calibrated. Thus, it is reasonable to assume the side channels on source are 
well shielded out. 

The developed up-conversion single-photon detector with high efficiency and low noise in 
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FIG. 4. Demonstration of the cryptographic application of the final secure key - one-time pad 
(OTP) encryption. The message, a black and white bitmap of a panda, is encrypted by the secure 
key generated from our system. 



our experiment can find immediate application in fiber based quantum technology, optical 
time domain reflectometer, photon-counting lidar and etc. Meanwhile, the technology of 
interfering two independent lasers, developed in our experiment, is also an essential building 
block of a quantum repeater 24| in global quantum communication. Furthermore, the MDI- 
QKD scheme can be extended into a quantum network with a star-like structure jljj], in 
which users only need photon sources but not detection systems. The expensive parts of the 
system, detectors, are only required at the service center, i.e., the measurement site. 

The transmission distance and secure key rate can be significantly improved by increasing 
the repetition rate, which is mainly limited by the detector timing jitter. Our up-conversion 
detector can be run under a clock rate of 2 GHz 25j, with which the transmission distance 



can go beyond 250 km and the secure key rate can be more than 1 kbits per second at 100 
km. 
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Appendix A: Key rate 



In the data post-processing, we essentially follow the numerical method presented in Ref. 



261 ] to extract final secure keys from the raw data. When the decoy-state protocol is used, 
normally, the final key is only extracted from the signal states. In our case, we extract secure 
keys from all decoy/signal states as long as the contribution is positive. In our experiment, 
we choose 4 different intensities for signal and decoy states for each arm. Thus, there are 16 
combinations of detection events and the overall key rate can be given by, 



R — Rk,i 



■■i 

k,l=0 



R k>l > max{Q?r [1 " H(e n )) - /£",0} 

fee' 1 = Qn k i>if H(E^ kVl ), 



(Al) 



where Q^ kUl (E^^) is the overall gain (quantum bit error rate, QBER) when Alice and Bob, 
respectively, use expected photon numbers of /i^ and v\\ I^ ,Ul is the cost of error correction 
with / as its efficiency; H(e) = — e log 2 (e) — (1 — e) log 2 (l — e) is the binary Shannon entropy 
function; Q^i" 1 is the rate for successful partial Bell-state measurement (BSM) when both 
sources generate single-photon states. We remark that the phase error rate of single-photon 



states, en, are assumed to be the same for all cases of signal and decoy states [11 ]. 

The final key is generated from the data obtained in Z-basis, so all the terms in Eq. ( lAlj) 
should be measured/inferred in Z-basis. The phase error rate, en, in Z-basis, which cannot 
be measured directly, is inferred by the bit error rate in A-basis, estimated by decoy states. 



Appendix B: Parameter estimation by decoy states 

In the post-processing of MDI-QKD, the error correction term only depends on the sifted 
data and error correction scheme. For the privacy amplification, there are a few parameters 
needed to be estimated: Qn'"' and en, as used in the key rate formula, Eq. flAip . Since we 
use weak coherent states as for quantum sources, according to the Poisson distribution of 
photon numbers in a coherent state, the gain of single-photon states, Qii' Ul , defined as the 
probability that both Alice and Bob send out single-photon states with the same basis and 
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obtain a successful partial BSM, is given by 

Qn Ul = /W^^n, (Bl) 

where Yu is the yield of single-photon states, that is, the probability to get a valid BSM 
in the measurement site conditioned on the case when both Alice and Bob send out single- 
photon states. Similar to phase error rate en, the yield Yu is assumed to be the same for 
all signal and decoy states [ll]. The key point of the parameter estimation in the post- 
processing is to estimate the privacy amplification term of Eq. flAlj) . which depends two 
variables, Yu and em 

Four coherent states with different intensities are used on both Alice's and Bob's sides, 
{fj,o, fii, /i2,A*a} and {z/ , ^1, ^2, ^3}, respectively. The mathematical question can be stated 



as follows 



27] 



subject to, 



min Y^[l-H{e x n )], (B2) 



i 3 

' ' \ , (B3) 



E O e Mfc+ ^ = V ^ k 1 e- Y- 



hi 



for k, I — 0, 1, 2, 3. There are 16 constraint linear equations, plus the constraints of Y^, G 
[0,1]. We remark that the variables on the left side of Eq. (1B3|) are measurable in experiment, 
while the right side is composed of linear functions of the unknowns, Y^ and e^-. Following 



the numerical method presented in Ref. [26], we can solve this minimization problem and 
estimate Yu and en and thence the key rate given by Eq. ( 1A1I) . 

In order to minimize the privacy amplification term, Eq. (1B2I) . we calculate the lower 
bound of Yu and the upper bound of en, which can be solved by linear programming. Since 
the coefficients of Y^ and e^ decrease exponentially with growth of i and j, this optimization 
problem can be solved efficiently by discarding the high order terms in the constraints of 
Eq. (IB3j) . From our numerical evaluation, we found that the effect of the terms of i,j > 7 
on the parameter estimation is negligible. Apparently, it would be more efficient if we solve 
the minimization problem, Eq. ( 1B2I) . directly, instead of bounding Yu and en separately. 
Here, we will leave it for future study. 

Moreover, when the statistical fluctuations are taken into consideration, the equality 
constraints shown in Eq. (IB3j) become inequalities. Similarly, the optimization problem can 
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be solved by linear programming, as Eq. (1B2|) . In the data post-processing of our MDI-QKD 
system, we use 3 standard deviations for the statistical fluctuation analysis. Detailed of the 
analysis can be found in Ref. 26]. 
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